PDA

View Full Version : The worm that is actually an antivirus...



botmaster
11-03-2008, 07:02 PM
Is this sort of thing possible?

Let's just, for sake of assumption, say you have a hugeass botnet under control (200k systems and growing...). Would it be possible to create a worm that is actually an antivirus that fortifies the OS of the botnet's zombies and upload it to them?

For example, lets say one of the zombies is a winXP computer running no other security programs, no windows updates and has a user that is completely ignorant. By "accidentally" downloading and installing the antivirus worm, his computer is constantly being virus scanned in the background with a maximum cpu and memory usage of 5%, and his system periodically connects to several peers in the botnet to check for updates and patches for new exploits. So it has the features of a rootkit (hides itself), but it's not really a rootkit because it's not doing any harm to the system besides cleaning it up and securing it.

I don't know if this is possible (would be a large amount of coding, especially for the p2p update system crypto), but I just want your input on this. I know it's not legal and all that, but we're speaking hypothetically here.

mastaraymond
11-03-2008, 07:37 PM
Would be funny. But it wouldn't work. Simply because people do not trust it. They don't know who made it, what its doing, when its working etc..

botmaster
11-03-2008, 07:59 PM
Would be funny. But it wouldn't work. Simply because people do not trust it. They don't know who made it, what its doing, when its working etc..

That's the whole point :D . I'm not sure if there's any way to hide the tracks of something like this, but there's enough stupid morons out there who leave their computer unprotected. Of course, this doesn't apply to 99% of the people on this forum (I'm pretty sure most people here are security aware), but to the rest of the world population who DOESNT check. And even if they do - a kernel level rootkit should take care of the casual onlooker. Maybe only use idle CPU time.

I betcha the antivirus companies wouldn't like it as their profits might suffer so yeah, they would make the job a lot harder and concentrate their efforts on this kind of malware.

mastaraymond
11-03-2008, 08:16 PM
That's the whole point :D . I'm not sure if there's any way to hide the tracks of something like this, but there's enough stupid morons out there who leave their computer unprotected. Of course, this doesn't apply to 99% of the people on this forum (I'm pretty sure most people here are security aware), but to the rest of the world population who DOESNT check. And even if they do - a kernel level rootkit should take care of the casual onlooker. Maybe only use idle CPU time.

I betcha the antivirus companies wouldn't like it as their profits might suffer so yeah, they would make the job a lot harder and concentrate their efforts on this kind of malware.
To be honest.. Most modern computers (full) come with installed Anti-Virusscanners. And the people who make computers themself are smart enough to get an anti-virus-scanner. xD

Mr.Klean
11-03-2008, 09:44 PM
Well including the AV stuff would boost the size, in essence though, it is possible. Just would take a lot of coding.

Yakman
11-04-2008, 05:06 PM
you always do this, when you break into a computer, always patch it up so no-one gets in the same way you did.

also theres helpful worms (http://en.wikipedia.org/wiki/Helpful_worm) that do something like what you're talking about.


btw its still a rootkit if you can get root from it.
whether you use root for harmful or benificial reasons is up to you.

R0b0t1
11-06-2008, 01:32 AM
Yes, this has been done before. Although it did restart the computer without the consent of the user, so they might've lost information.


EDIT: I'm talking about only "positive" actions.